Shell Script query

Can anyone help me to prepare a menu driven
unix script ( hp ux) which does not allow users do any other
operations other than those specified in the menu. I have
framed queries respective to the options to be executed
depending on the option selected by the user. These queries
get the ouput after connecting to oracle database sqlplus. I
am stuck at this point...

Hi!
Ur soln was really helpful, I worked in the same direction ,
but should I specify the sqlplus login ,password explicitly in
the shell script, coz the security reasons I cant mention the
same for the LIVE envt...

First, if you only want to allow 1 selection from the menu (and not
return to it) the exec in the sample below works. However, if you want
to allow users to return to the menu script and make another selection,
you must run the script. I recommend sourcing the script ("source" in
csh and "." in ksh). This means running the called script in the
current instance of the shell, not a sub-shell.

Next, if you find that you must embed passwords in the script itself,
consider that you could have those scripts owned by a privileged user
(not the user who would actually run it) like root:sys or oracle:dba.
Set the permissions so that only the owner can read the script. Now the
contents are protected. Now enable it to be executed by anyone with the
SUID bit set. This means that the script will run with the permissions
of the owner, not the user running it.

Now comes the tricky part. The script must be written so that the user
can not escape from it and end up with a root or oracle sh. This means
using the trap command to trap all signals. Also, you must catch all
errors so that the script can't error out.

There is an obvious security concern with this approach. However, if
you are certain that the script only does EXACTLY what you intended it
to do, and there are no ways to exit to a sh, then you should be OK. If
you have to undergo a security audit by an outside firm, they typically
look for SUID programs and flag them as a security risk without even
looking at the scripts themselves.

If I am understanding you you want the user to log in and see a menu and
when he/she exits the menu you want his login session to end. The
easiest way to do this is to make the menu script the startup script for
that user in the /etc/passwd file have an entry like this

reporter:x:502:102::/home/reporter:/home/repor ter/menu.ksh

where reporter is the account and /home/reporter/menu.ksh is the menu
script.

The following is a sloppy menu script
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= 3D=3D=3D=3D=3D=3D=3D=3DBeginning of script=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3 D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
#!/usr/bin/ksh

DESCRIPTION
sudo allows a permitted user to execute a command as the
superuser (real and effective uid and gid are set to 0 and
root's group as set in the passwd file respectively).

sudo determines who is an authorized user by consulting the
file /etc/sudoers. By giving sudo the -v flag a user can
update the time stamp without running a command. The
password prompt itself will also time out if the password is
not entered with N minutes (again, this is defined at
installation time and defaults to 5 minutes).

If an unauthorized user executes sudo, mail will be sent
from the user to the local authorities (defined at
installation time).

sudo was designed to log via the 4.3 BSD syslog(3) facility
but can log to a file instead if so desired (or to both
syslog and a file).

All preferences are defined at installation time and are
derived from the options.h and pathnames.h include files as
well as as well as the Makefile.

OPTIONS
sudo accepts the following command line options:

-V The -V (version) option causes sudo to print the version
number and exit.

-l The -l (list) option will list out the allowed and
forbidden commands for the user on the current host.

-h The -h (help) option causes sudo to print the version of
sudo and a usage message before exiting.

-v If given the -v (validate) option, sudo will update the
user's timestamp file, prompting for a password if
necessary. This extends the sudo timeout to for another
N minutes (where N is defined at installation time and
defaults to 5 minutes) but does not run a command.

-k The -k (kill) option to sudo removes the user's
timestamp file, thus requiring a password the next time
sudo is run. This option does not require a password

6/Oct/96 Last change: 1.5.3 1

sudo(8) MAINTENANCE COMMANDS sudo(8)

and was added to allow a user to revoke sudo permissions
from a .logout file.

-b The -b (background) option tells sudo to run the given
command in the background. Note that if you use the -b
option you cannot use shell job control to manipulate
the command.

-p The -p (prompt) option allows you to override the
default password prompt and use a custom one. If the
password prompt contains the %u escape, %u will be
replaced by the user's login name. Similarly, %h will
be replaced by the local hostname.

-u The -u (user) option causes sudo to run the specified
command as a user other than root. To specify a uid
instead of a username, use "#uid".

-s The -s (shell) option runs the shell specified by the
SHELL environmental variable if it is set or the shell
as specified in passwd(5).

-H The -H (HOME) option sets the HOME environmental
variable to the homedir of the target user (root by
default) as specified in passwd(5).

-- The -- flag indicates that sudo should stop processing
command line arguments. It is most useful in
conjunction with the -s flag.

RETURN VALUES
sudo quits with an exit value of 1 if there is a
configuration/permission problem or if sudo cannot execute
the given command. In the latter case the error string is
printed to stderr via perror(3). If sudo cannot stat(2) one
or more entries in the user's PATH the error is printed on
stderr via perror(3). (If the directory does not exist or
if it is not really a directory, the entry is ignored and no
error is printed.) This should not happen under normal
circumstances. The most common reason for stat(3) to return
"permission denied" is if you are running an automounter and
one of the directories in your PATH is on a machine that is
currently unreachable.

SECURITY NOTES
sudo tries to be safe when executing external commands.
Variables that control how dynamic loading and binding is
done can be used to subvert the program that sudo runs. To
combat this the LD_*, SHLIB_PATH (HP-UX only), LIBPATH (AIX
only), and _RLD_* environmental variables are removed from
the environment passed on to all commands executed. sudo
will also remove the IFS, ENV, BASH_ENV and KRB_CONF

6/Oct/96 Last change: 1.5.3 2

sudo(8) MAINTENANCE COMMANDS sudo(8)

variables as they too can pose a threat.

To prevent command spoofing, sudo checks "." and "" (both
denoting current directory) last when searching for a
command in the user's PATH (if one or both are in the PATH).
Note, however, that the actual PATH environmental variable
is not modified and is passed unchanged to the program that
sudo executes.

sudo will check the ownership of its timestamp directory
(/var/run/sudo or /tmp/.odus by default) and ignore the
directory's contents if it is not owned by root and only
read, writable, and executable by root. On systems that
allow users to give files away to root (via chown), if the
timestamp directory is located in a directory writable by
anyone (ie: /tmp), it is possible for a user to create the
timestamp directory before sudo is run. However, because
sudo checks the ownership and mode of the directory, the
only damage that can be done is to "hide" files by putting
them in the timestamp dir. This is unlikely to happen since
once the timestamp dir is owned by root and inaccessible by
any other user the user placing files there would be unable
to get them back out. To get around this issue you can use
a directory that is not world-writable for the timestamps
(/var/adm/sudo for instance).

sudo will not honor timestamp files set far in the future.
Timestamp files with a date greater than current_time + 2 *
TIMEOUT will be ignored and sudo will log the anomaly. This
is done to keep a user from creating his/her own timestamp
file with a bogus date.

FILES
/etc/sudoers file of authorized users.

ENVIRONMENT VARIABLES
PATH Set to a sane value if SECURE_PATH is set
SHELL Used to determine shell to run with -s option
HOME In -s mode, set to homedir of root (or runas

user)
if built with the SHELL_SETS_HOME option
SUDO_PROMPT Replaces the default password prompt
SUDO_COMMAND Set to the command run by sudo
SUDO_USER Set to the login of the user who invoked sudo
SUDO_UID Set to the uid of the user who invoked sudo
SUDO_GID Set to the gid of the user who invoked sudo
SUDO_PS1 If set, PS1 will be set to its value

6/Oct/96 Last change: 1.5.3 3

sudo(8) MAINTENANCE COMMANDS sudo(8)

AUTHORS
Many people have worked on sudo over the years, this version
consists of code written primarily by:

DISCLAIMER
This program is distributed in the hope that it will be
useful, but WITHOUT ANY WARRANTY; without even the implied
warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR
PURPOSE. See the GNU General Public License for more
details.

You should have received a copy of the GNU General Public
License along with this program; if not, write to the Free
Software Foundation, Inc., 675 Mass Ave, Cambridge, MA
02139, USA.

CAVEATS
There is no easy way to prevent a user from gaining a root
shell if that user has access to commands allow shell
escapes. Running shell scripts via sudo can expose the same
kernel bugs that make setuid shell scripts unsafe on some
operating systems.

Hi Pete!
U got rightly I am framing for the helpdesk, so the
startup script is the best so that users are not allowed to do
any other options other than those specified in the menu... if
in case the other keys are used it should not log off but
should flash him to select only the options given

Hi Sheetal,
I will tell you the simple way to do..
Once you have wrote the menu script and completed all other script, you identify which user will be using the menu program. I mean the login name. IF all are going to use the progra, you will have to create one login which all will access.
What to do now......
login as root or that login id. Go to the .profile file. Go to the end of the .profile and add the following command..
exec <script fie name>

What will happen when ever the user logs in it will take you directly to the menu itself. In the menu have an option of Exit. and when user press option exit, he is logged out of the system. For this use Exit command.
ANd yes you will have to trape the other keys like contrl C or control back space. Give this user a restricted shell and all youe script executive permission to the user.